Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,809,924 Members 45,005 Now Online
XDA Developers Android and Mobile Development Forum

[RT] Windows RT 8.1 Jailbreak Discussion

Tip us?
 
Toxickill
Old
(Last edited by Toxickill; 2nd March 2014 at 04:59 PM.)
#1  
Member - OP
Thanks Meter 34
Posts: 76
Join Date: Apr 2013
Default [RT] Windows RT 8.1 Jailbreak Discussion

If you have nothing to add to this discussion please do not post. Thanks

Im hoping that we can make a list of requirements for this jailbreak to happen. Please read along with us and if you have any ideas regarding any of the steps please help us out...

Thanks,

Toxickill.
 
LolitaPlus
Old
#2  
Member
Thanks Meter 12
Posts: 62
Join Date: Oct 2013
In JB 8.0 we change a byte which indicates the sign level from "Microsoft" to "Unsigned".
Now this is protected by PatchGuard: you will get BSOD if you change it.

I think this is probably the only change.
 
Toxickill
Old
#3  
Member - OP
Thanks Meter 34
Posts: 76
Join Date: Apr 2013
Quote:
Originally Posted by LolitaPlus View Post
In JB 8.0 we change a byte which indicates the sign level from "Microsoft" to "Unsigned".
Now this is protected by PatchGuard: you will get BSOD if you change it.

I think this is probably the only change.
Well can we bypass patchguard? Because people over at easy hook have written a c# patchguard 3 bypass driver maybe we can build off of that?
 
master.peterm
Old
#4  
master.peterm's Avatar
Senior Member
Thanks Meter 71
Posts: 399
Join Date: May 2009
yeah patchguard has been bypassed I think https://twitter.com/standa_t/status/437972336705159169
If someone has a OnePlus One invite PM me....
You will be rewarded..... and I'll give the invite
I receive to whoever you want!


Google+
Current Tablet:
Surface RT
Nexus 7 2012
Current Phone:
Samsung Galaxy Note II
Previous Phones:
Sensation 4G- S-off, Rooted (revolutionary) SOLD!
T-mobile G2- S-OFF (gfree), JELLYBEAN, ENG SPL. Gave as a Gift
T-mobile G1- Unlocked and Rooted, Cyanogenmod 6, 600 Mhz!! SOLD!
 
Toxickill
Old
#5  
Member - OP
Thanks Meter 34
Posts: 76
Join Date: Apr 2013
Quote:
Originally Posted by master.peterm View Post
yeah patchguard has been bypassed I think https://twitter.com/standa_t/status/437972336705159169
Ok so now that it can be done im going to fire up my surface and get working on a new jailbreak tool. If all succeeds then i will update accordingly. Hopefully bypassing patchguard is all that is needed to run old bypass methods. If patch guard stays bypassed then we can make the jailbreak persistent through sessions.
The Following User Says Thank You to Toxickill For This Useful Post: [ Click to Expand ]
 
GoodDayToDie
Old
#6  
Recognized Developer
Thanks Meter 2,699
Posts: 5,682
Join Date: Jan 2011
Location: Seattle
Well, the other problem is that you can't attach a debugger to CSRSS.EXE anymore. So you need a different way to change the relevant value (or a way to bypass the Protected Process restriction).

I think Myriachan already has a way to do that, though; she mentioned that she'd managed to jailbreak but Patchguard was causing the system to crash, so she was working on a way around that.
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.
 
Toxickill
Old
(Last edited by Toxickill; 27th February 2014 at 09:34 PM.)
#7  
Member - OP
Thanks Meter 34
Posts: 76
Join Date: Apr 2013
Quote:
Originally Posted by GoodDayToDie View Post
Well, the other problem is that you can't attach a debugger to CSRSS.EXE anymore. So you need a different way to change the relevant value (or a way to bypass the Protected Process restriction).

I think Myriachan already has a way to do that, though; she mentioned that she'd managed to jailbreak but Patchguard was causing the system to crash, so she was working on a way around that.
Would patchguard bsod if we removed the protected process on csrss?
Also, would shell code be able to call ntdll.dll methods? We might be able to code arm shell code and call a method to temporarily revoke its protected process flag.

Edit:
Could we attach the debugger to a none protected process, execute shell code that removes process protection? Only problem is writing shell code is not my thing and especially for arm where its not documented as well.
 
Toxickill
Old
#8  
Member - OP
Thanks Meter 34
Posts: 76
Join Date: Apr 2013
Also could someone PM me with a cdb.exe thats signed for windows rt 8.1? the one provided with the old jailbreak is only signed for 8.
 
GoodDayToDie
Old
(Last edited by GoodDayToDie; 27th February 2014 at 10:28 PM.)
#9  
Recognized Developer
Thanks Meter 2,699
Posts: 5,682
Join Date: Jan 2011
Location: Seattle
... You do realize the Protected Process flag is in the kernel, right? How do you plan to remove it when, in order to modify kernel memory, you would need to attach to a protected process? It's not like this is the RO flag on a file or something.

The whole point of Windows protected processes is to avoid letting somebody debug them even if they have full control over the machine (they were originally designed for DRM). In testsigning mode or with a kernel debugger, they usually won't launch at all (CSRSS will - it's critical for all Win32 processes, including stuff like Explorer - but the DRM ones won't). This isn't something Microsoft is going to just allow people to turn off. We could theoretically patch around the restriction with the aforementioned kernel debugger or with a testsigned kernel-mode driver, but if we could put RT into Testsigning or use a KD on it we wouldn't need anything else at all anyhow; either of those are sufficient for an easy jailbreak.

When thinking about breaking into the system, think about what you want to accomplish. Then identify attack vectors to get there. Then think about how those attack vectors might be blocked. Then think about how you might bypass those blocks. Etc... If you can't get at least as far as the fourth step, you won't accomplish much (certainly not against a target as hardened as Windows).
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.
 
Toxickill
Old
#10  
Member - OP
Thanks Meter 34
Posts: 76
Join Date: Apr 2013
Quote:
Originally Posted by GoodDayToDie View Post
... You do realize the Protected Process flag is in the kernel, right? How do you plan to remove it when, in order to modify kernel memory, you would need to attach to a protected process? It's not like this is the RO flag on a file or something.

The whole point of Windows protected processes is to avoid letting somebody debug them even if they have full control over the machine (they were originally designed for DRM). In testsigning mode or with a kernel debugger, they usually won't launch at all (CSRSS will - it's critical for all Win32 processes, including stuff like Explorer - but the DRM ones won't). We could theoretically patch around this with the aforementioned kernel debugger or with a testsigned kernel-mode driver, but if we could put RT into Testsigning or use a KD on it we wouldn't need anything else at all anyhow; either of those are sufficient for an easy jailbreak.
So just to clarify we can not use this undocumented API call that works in Win8.1 x64 on RT:

Code:
[DllImport("ntdll.dll", SetLastError = true)]
        internal static extern int NtSetInformationProcess(IntPtr hProcess, int processInformationClass, ref int processInformation, int processInformationLength);
int enable = 0;
                NativeMethods.NtSetInformationProcess(CSRSS.exe HANDLE, 29, ref enable, sizeof(int));
C# code of course but you could easily code in any language.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes